Ransomware Group: SAFEPAY

VICTIM NAME: ferienwohnungen[.]de

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

ferienwohnungen[.]de, a German online booking platform that connects travelers to over 77,000 holiday homes and apartments across Europe, is identified as the victim in a ransomware leak post published on August 26, 2025. The victim operates in the Hospitality and Tourism sector and is based in Germany. The leak page presents the entry as a victim post and includes a claim URL for verification (defanged). The post date is August 26, 2025; there is no explicit compromise date listed in the data, and no ransom amount is disclosed in the available metadata. The page appears to be a standard data-leak entry rather than a straightforward encryption notice.

The leak page includes background information about ferienwohnungen[.]de’s business, described in English, noting the platform’s European footprint and a revenue figure of $66.6 million appearing in the excerpt. It emphasizes that the service targets family-friendly and value-conscious travelers seeking reliable rentals directly from private owners. The page shows no visual content—there are no screenshots or images—and there are no downloadable files or attachments listed. A claim URL is present on the page (defanged), but the actual address is not included here. The country of operation is Germany, and the victim name,ferienwohnungen[.]de, is the primary identifier in the dataset.

Observations: The available data do not explicitly state whether data was encrypted or simply leaked, and there is no disclosed ransom amount. The post date serves as the primary timestamp, with no separate compromise date provided beyond that. The leak page’s content focuses on a general profile of the victim rather than technical breach details, and there are no visible data samples or screenshots to assess at this time. Stakeholders should monitor for future updates from the leak source for potential data disclosures or ransom-related notices, while treating ferie­wohn­ungen[.]de as the identified victim name in this report.